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ABSTRACT 


A pr:«ctical  method  ii  presented  for  automariof  in  a uniform  way  the  verification  of  Pascal 
programs  that  operate  on  the  itandard  Pascal  data  structures  ARRAY.  RECORD,  and 
POINTER  New  assertion  language  primitivei  are  introduced  for  desciibmg  computational 
effects  of  operations  on  these  data  structures  Axioms  defining  the  semantics  of  the  new 
primitives  are  given  Proof  rules  for  standard  Pascal  qserations  on  pointer  variables  are  then 
defined  in  terms  of  the  extended  assertion  language  Similar  rules  for  records  and  arrays  are 
special  cases.  An  extensible  axiomatic  rule  for  the  Pascal  memory  allocation  operation.  NEW.  is 
also  given 


These  rules  have  been  implemented  in  the  Stanford  Pascal  program  verifier  Examples 
illustrating  the  verification  of  programs  which  operate  cn  list  structures  implemented  with 
pointers  and  records  are  diKussed  These  include  programs  with  side  effects 
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1.  INTRODUCTION 

This  paprr  presents  axiomatic  proof  rules  for  standard  PASCAL  operations  on 
the  data  structures  ARRAY,  RECORD  and  POINTER.  Axiomatic  semantics  for  these 
data  structures  have  been  (iven  in  some  form  in  previous  publications  ([Hoare  & 
Wirth],  [Burstall],  [Spitien  & Wefbreit]).  However,  here,  our  emphasis  is  on  the 
notion  of  a proof  rule.  That  is,  we  are  interested  in  definini  proof  rules  for 
operations  on  these  structures  that  are  suitable  for  addition  to  the  existinf  set  of 
proof  rules  employed  by  crrrent  automatic  verifiers  — this  we  call  verification 
oriented  semantics.  These  rules  not  only  define  the  semantics  of  operations  on  the 
data  structures  axiomatically.  They  are  alto  proframmable  reduction  rules  suitable 
for  automatinf  a sifnificant  part  of  the  search  for  proofs  of  pro(ramt  that  operate 
on  complex  data  ttrt  .ures. 

The  main  problem  from  the  point  of  view  of  extendinf  the  present  verifiers,  it 
to  be  able  to  cope  with  certain  forms  of  the  assignment  statement.  The  semantic 
definition  of  atsignment  given  in  [Hoare  69]  it  entirely  adequate  for  assignment  to  a 
variable  of  any  arbitrary  type.  In  this  paper  we  are  concerned  with  finding 
verification  rules  for  assignment  in  the  cate  when  the  left  hand  tide  it  an  expression 
containing  operations  which  select  a substructure  of  a data  structure.  For  example, 
array  assignment  rules  given  in  [King],  [Igarathi,  London,  & Luckham]  (henceforth 
called  [ILL]),  and  [Sutuki  a]  define  the  semantics  J A[I]«*E.  Here  the  index  I "selects" 
or  picks  out  an  element  of  the  array  data  structure  A,  so  the  meaning  it  different 
from  assignment  to  the  variable  A itself--  a specified  part  of  the  value  of  A it 
changed! 

We  shall  give  rules  for  standard  Pascal  operations  such  as  XT.F»-Y  where  X is  a 
pointer  to  a record  with  field  F.  Rules  for  these  kinds  of  operations  are  needed  in 
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ord«r  to  improve  program  v^rificatiort  methods  to  a point  whvre  certain  classes  of 
complex  programs  such  as  garbage  collectors  and  schedulers  can  be  verified. 

The  idea  presented  here  is  to  generalise  the  rule  in  standard  use  for  assignment 
to  an  array  element.  This  leads  to  a single  scheme  which  defines  proof  rules  for 
assignment  to  substructures  of  array,  record  and  pointer  structures  as  special  cases. 
In  addition,  the  allocation  operation,  NEW(\),  whereby  new  structures  can  be  created 
during  a computation,  needs  to  be  giv^n  a verification  oriented  rule.  W«  do  this  here 
at  the  same  time. 

Section  2 presents  an  overview  of  both  the  way  proof  rules  can  be  used  in 
automatirtg  verification,  and  of  how  considerations  similar  to  those  which  led  to  the 
array  rule  will  lead  to  our  generalisation  of  it  for  records  and  pointers.  We  feel  that 
It  IS  reasonable  to  say  something  about  the  use  of  the  proof  rules  since  some  of  our 
decisions  are  based  on  facilitating  implementation.  However  we  do  rely  on  earlier 
papers  [ILL,  Susuki  b]  for  full  details  about  verification  systems.  Section  3 gives  the 
general  definitions  of  the  extended  assertion  language  and  the  most  general  form  of 
the  new  proof  rules.  Section  4 is  devoted  to  illustrating  how  a verifier  with  these 
rules  can  be  used  to  obtain  proofs  of  properties  of  programs  which  operate  on  tree 
structures  built  up  from  pointers  and  records.  It  is  shown  here  that  our  extended 
verification  <ystem  is  capable  of  proving  such  properties  as  " program  A does  not 
introduce  loops  into  list  structure  L"  for  actual  programs  containing  about  a page  of 
Pascal  code. 

In  this  paper  we  omit  formal  justification  of  our  rules.  Normally,  this  would 
take  the  form  of  a soundness  proof.  A model  of  PASCAL  computations  would  be 
defined  aruJ  then  it  would  be  shown  that  the  proof  rules  describe  state 
transformations  of  the  modeL  Instead  we  rely  on  the  motivation  in  Section  2 to 
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convince  th^  r«ad#r  that  our  formal  rulM  do  correspond  lo  his  intuitive 
underslandirvf  of  the  PASCAL  semantics. 


2.  motivation 

The  reasonini  which  leads  us  to  our  proof  rules  can  be  paraphrased  at  follows  First 
we  have  to  know"  ntuitively  what  the  PASCAL  operations  do;  that  is,  what 
transformations  they  make  lo  data  structures.  Me  eitend  the  standard  assertion 
lanfuaie  (i.e.  Pascal  Boolean  expressions  with  the  addition  of  quantifiers  and  defined 
relations  --see  (ILL,  Suzuki  b])  so  that  it  contains  expressions  which  formally 
represent  data  structures  and  transformations  of  data  structures.  These  new 
assertion  lanfuaie  expressions  are  called  data  structure  repreieniations.  Then  we  can 
five  formal  proof  rules  for  Pascal  operations  in  terms  of  such  representations.  The 
representations  themselves  have  semantic  definition  rules  which  permit 

simplificatioi  t to  be  made  automatically  This  enables  proofs  of  simple  proframs  to 
be  completely  automated.  Below  we  outline  this  reasoning  by  pivinf  first  the 
intuitive"  transformation  rule  for  an  operation  on  a structure,  then  the  new 
expressions  that  we  add  to  the  assertion  language  to  represent  the  transformation 
and  the  semantics  of  the  expressions,  and  then  the  formal  proof  rule  for  that 
operation.  We  deal  in  succession  with  the  cases  of  Arrays,  Records,  and  finally, 
Pointers.  This  should  clarify  the  general  definitions  of  representations  and  proof 
rules  in  Section  3.  We  begin  ne»  / with  a short  discussion  of  verification  oriented 
rules  in  general. 


r 


2.1  Reduction  Rules. 

Axiomatic  semantic  rules  within  Hoare’s  weak  logic  of  programs  [Hoare  69,71, 
ILL]  are  nearly  all  of  the  form 
A . B 
C 

meaning  "If  A and  B are  both  true  (the  premisses  of  the  rule)  then  C is  also  true 
tconclusion)".  Here,  A,  B,  C,  are  either  Boolean  formulas  or  statements  about 
programs.  The  latter  kind  of  statement  has  the  form  P{S)Q  w-here  P and  0 are 
Boolean  formulas  and  S is  a program  part  (i,e.  a sequence  of  Pascal  statements).  P and 
Q are  the  input  and  output  specifications  for  S.  In  the  deduction  rule,  C is  always  a 
statement  about  a program  part. 

We  can  regard  a deduction  as  taking  place  by  applying  a rule  "downwards".  However, 
such  a rule  is  employed  "upwards"  as  a problem  reduction  rule  in  a typical  verifier 
[ILL].  This  means  that  if  *.ome  problem  C’  matches  C in  the  sense  that  C’  ■ Co<  where 
oc  is  a substitution  of  aitual  parameters  for  formal  parameters,  then  Aoi  and  BoC  will 
be  generated  as  "reduced"  problems  to  be  solved.  This  reduction  process  can  be 
continued  until  all  the  reduced  problems  are  purely  logical  formulas  and  do  not 
contain  any  program  statements.  These  formulas  are  called  Verification  Conditions 
(VC’s).  The  reader  is  referred  to  [ILL]  for  examples  of  problem  reduction  and 
generation  of  VC’s. 
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12  Forwards  Ruirs  ar>d  Backwards  Ruks. 


Thr  semantic  mearursc  of  thf  assitomrnt  statment  it  dffmrd  by  axioms  in 
Hoard’s  system.  For  example,  atsi(nmeni  lo  a simple  variable  may  be  defined  by  (AVF 
stands  for  Asticnment  to  a Variable  Forwards)' 


AVF.  P(X)aX-XI{X-E}P(XO)aX-E  \ JJg 


where  E 


y0  denotes  the  substitution  of  XO  for  X in  E. 


The  axiom  AVF  it  a true  statement  of  the  Lofic  of  Proframs  for  all  formulas 
P.  Intuitively,  this  axiom  describes  ihe  way  X*-E  chances  the  state  of  any 
computation: 

It  says,  suppose  PaX'XO  it  true  of  the  state  before  X*-E.  Then  after  executing 

X*-E,  two  things  will  be  true;  (a)  the  value  of  X will  change  to  E | ^0  and  (b)  true 

statements  about  the  value  of  X before  assignment  are  still  true  of  the  old  value  XO 
after. 

We  call  this  axiom  a "forwards"  rule  because  the  postcondition  (after 
execution)  shows  how  the  precondition  (before  execution)  is  changed.  Such  rules  are 
not  the  easiest  to  implement  in  automatic  verification  systems  because  of  the 

equality  terms  X*E|y0  in  the  post  condition.  The  basic  problem  is  the  question  of 
when  to  substitute  E | ^^0  for  X in  any  formulas  that  may  get  generated  later  on  in 
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th»*  process.  I(  is  easier  to  avoid  the  feneration  of  equalities  aitofether.  So,  in 
verification  systems  we  often  use  ’’backwards”  axioms  like  AVB  (from  [Hoare]). 

AVB.  P(EHX-E)P(X) 

where  piE)  is  P with  E substituted  for  all  occurrences  of  X.  This  is  a ’’backwards” 
rule:  it  states  that  if  P(X)  is  to  be  true  after  .\*-E  is  executed  then  P(E)  must  be  true 
before.  This  is  equivalent  to  savinf  that  the  •ffect  of  X*-E  will  be  to  five  X the  value 
E.  I he  forwards  and  backwards  veisions  of  the  rules  are  equivalent,  and  the 
verification  conditions  produced  bv  verifiers  usinf  either  version  are  also  equivalent. 

A verifier,  fiven  a problem  ENTRY  |Sl;_;Sn)EXlT,  and  usinf  backwards  axioms 
will  work  backwards  in  the  followinf  sense.  Startinf  with  EXIT  it  will  deduce  (usinf 
either  upwards  or  backwards  rules)  what  has  to  be  true  before  statement  Sn,  and 
from  that  it  will  deduce  what  must  be  true  before  Sn-1,  and  so  on. 

In  the  followinf  we  shall  develop  backwards  rules  since  they  are  easier  to 
implement. 


2J  Assifnment  to  Array  Elements. 

Now  consider  an  axiomatic  semantic  rule  for  assifnment  to  an  element  of  an 
array  (Assifnment  to  Array  Backwards)  fiven  in  terms  of  an  informal  assertion 
lanfuafe* 

AAB.  If  l-J  then  P(E)  else  P(/ Ij]){A(IJ-E)P(Am) 
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mifhi  all  air«  (fiv^n  that  wt  understand  the  meaninf  of  "if-then-el$e")  that  this 
defines  the  meanint  of  "A[I]^E".  The  rule  states  what  must  be  true  of  the 
computation  state  of  a profram  before  performinf  A[I]^E  if  P(A[J])  is  to  be  true 
after.  The  semantics  is  defined  by  the  chance  in  the  computation  state.  Rule  AAB  is  a 
scheme  in  that  it  holds  for  all  formulas  V.  However,  if  we  add  this  rule  to  a verifier, 
we  have  the  complication  that  if  we  are  tryinf  to  verify,  say 
ENTRY{B;A[ll-E)P(A[Jll,  an  application  AAB  will  leave  us  to  verify 

(1).  ENTRY{B}  (if.l-J  then  P(E)  else  P(A[J])). 


And  we  will  not  know  at  the  time  (1)  is  fenerated  whether  l‘J  or  not.  The 
information  required  tc  determine  if  l*J  is  most  likely  contained  in  the  precedinj; 
profram  B. 

Thus  rule  AAB  req  iires  the  assertion  laneuafe  to  contain  array  and  index 
variables,  and  conditionals.  In  addition,  the  reduction  rules  will  have  to  allow  for 
conditional  assertions 

Nested  conditional  assertions  ctow  exponentially,  and  it  is  advisable  for 
implementation  to  replace  them  by  an  explicit  representation  in  the  assertion 
lanfuafe  of  the  the  chanfe  to  A resultinj  from  A[l^-E.  To  achieve  this,  we  have 
introduced  assertion  lancuace  expressions  that  represent  the  result  of  selector  and 
assicnment  operations  on  arrays.  It  should  be  emphasised  that  the  expressions 
represent  structures  resultinc  from  operations. 

Syntax  of  REWRITE  and  SELECTOR  expressions  for  Arrays: 
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REWRITE:  <A,[IJ,E> 

SELECTOR:  [Jj 


tvhvre  A is  an  array  of  of  lyp  T,  I and  J are  irtdicn, 

and  E is  an  aiyratsion  of  T. 

Inioitivdy,  thf  rawrilf  «Kpr#ttion  raprasamt  ih»  array  obtained  from  A hy 
assifninf  E lo  A[lj.  And  <A,[ll,E>[J]  ra;r»entt  the  Jth  dement  of  this  array.  The 
two  kinds  of  expressions  can  be  concatenated  tofether  (see  example  1 below),  and  the 
rewrites  may  be  nested  to  represent  the  result  of  sequences  of  operations  on  A. 

These  assertion  lanfuafe  expressions  obey  the  followinf  rules  which  define 
their  semantics: 

SEMI.  <A,nU>UJ' Elf  l«J. 

<A,(IJ,E>UJ- A[J]if  K 


The  verfkiation-oriented  rule  for  assignment  to  arrays  may  now  bo  given  using  tho 
extended  assertion  language. 

VI.  P«AjIJ,E>HA[lK}f(A) 

where  all  occurences  of  A in  P(A)  are  replaced  by  <A,{l),E>  to  form  P(<AjlJ,E>). 

Note  the  special  case  of  VI:  P(<Ail),E>[J]){A(l>-E)P(AUJ). 

This  IS  our  version  of  AAB. 


L^i  uj  »t«  h«w  th*  ruJw  VI  and  SEMI  work  on  a tim^o  aiam^. 

EXAMPLE  1.  1.  A(ia»| 

2.  A(A{icn*E 
EXIT  PIAdl). 

Tl>  want  th#  #*tt  aitfrtion  to  b#  tru#  aft#r  th#  two  op#rationt.  StKC#**iv# 
application!  of  (VI)  itat#  that  P«A^A(Kj],E>(l))  must  b«  tru#  b#for#  inrtruction  2, 
and  P(«A^Kl,l>^<A,K,l>lKUE>in)  n»u!i  b#  tru#  b#for#  1.  Uiinf  SEMI  thi!  lait 
att#rtion  r#duc#t  to  PIEL 

Et!#ntially,  th#  introduction  of  th#  REIRITE  #ipr#iiion!  into  th#  ai!#rtion 
languai#,  ii  to  r#pr#t#nt  th#  chanf#i  in  th#  data  ttuciur#  that  occur  at  th#  r#*ult  of 
atsi|nm#nt  to  an  array  #l#m#nt.  Th#  t#mantict  of  proiramminf  lan«ua|#  $tat#m#nti 
atti|nin|  to  array  #l#m#ntt  ar#  ih».i  d#fin#d  in  t#rmi  of  !uch  chanf#s  by  rul#  VI  Th# 
rul#  SEMI  #nabl#t  ut  to  iimpMy  #xpr#ttiont  contatninf  r#writ#t  and  t#l#ctort  wh#n 
th#  valu#t  of  indic#!  ar#  d#t#rmin#d.  It  it  cl#ar  that  both  rul#t  ar#  #aty  to  iinpl#m#nt 
to  that  both  th#  cor.ttruction  of  th#  r#pr#t#ntationt  and  th#ir  timplification  can  b# 
automat#d. 

Th#  notation  for  REWRITE  ut#d  h#r#  it  du#  to  (Hoar#  and  W'irth);  d ^f#r#nt 
notation  app#art  in  [Kin|].  On#  of  th#  me#  f#atur#i  of  thit  notation  it  itt  compact 
n#ttinf  prop#rty  for  r#pr#t#ntin|  tucc#ttiv#  attienmentt. 


2.4  Atti|nm#nt  to  R#cord  Fi#ldt. 


An  attifnfiiont,  R.F^E  wh#r#  R it  a r#cord  with  a fi#ld  F,  chanf#t  a r#cord  data 


tiruclurr  in  «x*ctty  thr  samv  way  as  assicnmfnt  le  an  array  rtem^nl  chanfes  an 
array.  Analogous  assertions  and  rules  are  used  to  define  the  semantics  of  assignment 
to  a record  field.  We  describe  them  briefly  here. 


Syntax  of  REWRITE  and  SELECTOR  expressions  for  Records: 

REWRITE:  <R,  J,  E> 

SELECTOR:  .F 

where  R is  a record,  F is  an  identifier  of  a Held 
of  R of  type  T,  and  E is  an  expression  of  type  T. 

The  semantics  of  these  new  assertion  language  expressions  are  given  by: 

SEMI  <R,  .F,  Z>JC  • E if  F«C, 

<R,  .F,  Z>C  • RjC  if  Fe  . 

The  verification  proof  rule  for  assi  nment  to  record  fields  is: 

VI  P(<R,  .F,  E>){R.F-E)P(R) 


2.S  Assignment  to  Dereferenced  Pointers. 

Let  us  now  define  similar  axiomatic  rules  for  assignment  to  dereferenced 
pointers,  i.e.  assignments  of  the  form  XT»-L  Intuitively,  XT^-E  means  that  the  value  in 
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Ih#  memory  location  to  which  X ^intt  is  chanced  to  L 

Wt  might  try  to  define  the  semantics  o(  such  st.temonts  by  a backwards  rule 
such  as 

APB.  if  X-Y  then  P(E)  e!se  P(YT){XKE)P(YT) 

The  rule  is  an  obvious  backwards  way  saying  that  if  X and  Y foint  to  the  same 
memory  location  (i.e.  X*Y)  before  XT»*E,  then  YT*E  afterwards. 

This  rule  resembles  the  intuitive  backwards  array  rule,  AAB,  with  X playinf  the 
role  of  an  index  I.  In  AAB,  I picks  out  an  element  of  the  array  A.  However,  in  this 
eajr  we  do  not  have  a name  in  the  assertion  language  for  the  set  of  values  X can 
point  to  (i.e,  refereiKe).  So  the  first  thing  we  shall  do  is  to  introduce  names  for  such 
sets  of  values  called  REFERENCE  CLASSES  (the  early  Pascal  definition  contains  the 
corKept  of  a reference  clast  [Wirth]).  Of  course,  a reference  class  it  unbounded,  but 
it  can  be  accessed  and  parts  of  it  selected  in  exactly  the  same  way  as  an  array.  So  the 
notation  we  shall  use  for  representing  computations  on  reference  classes  will  be  very 
similar  (in  fact  the  differences  are  merely  to  distinguish  them  from  operations  on 
arrays).  For  example,  if  P*REF  it  a reference  class  then  PeREFcX^  will  denote  the 
value  that  X points  to  (i.e.  the  same  thing  at  XT).  The  result  of  X1*-E  can  be 
represented  by  <P*REF,  eXo,  E>.  In  this  notation  the  round  brackets  are  analogous 
to  the  tguare  brackets  for  indexing  arrays. 

Thus  we  extend  the  assertion  language  in  order  to  represent  computations 
involvirtg  attignmeni  to  dereferenced  pointers  as  follows. 

For  each  pointer  type  declaration, 
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TYPE  nimel  • Tnamp2 


**e  *66  Panamel  to  the  atteriien  Un(uat«.  Thi*  it  the  nam^  of  the  finiie  r«f«r«ncr 
ciatt  of  Hrmpnit  of  ly^e  name2  ihal  emi  ai  ihe  start  of  a computation. 

Syntax  of  REWRITE  and  SELECTOR  expressions  for  Reference  Classes. 

REWRITE:  <C,  c\d,  E> 

SELECTOR:  cXa 

where  C is  a reference  ciatt  of  elements  of  type  T,  X it  a pointer 
of  type  TT,  arvd  E it  an  expression  of  type  T. 

These  expressions  satisfy  semantic  rules  similar  to  previous  ones: 

SEM3.  <C,  cXa,  E>cY3  • E if  X-Y 

<C,  cX3,  E>cY3  • CcY3  if  X-Y 

The  verification  rule  for  assignment  to  dereferenced  pointers  it: 

V3  a.  P«P*name2,  cXa,  E»{XKE)P(P.name2) 
and 

b.  P(<P*name2,  cXTa,  E>cY3)|XT^E}P(YT) 
for  ail  occurrences  in  P of  Y of  type  namel. 

The  reader  may  note  that  our  extension  of  the  assertion  language  hat 
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introduced  differeni  notation  for  the  tame  thinf;  YT  artd  P*name2cY3  both 
represent  the  value  Y points  to.  If  the  verifier  uniformly  eliminates  one  notation  in 
favour  of  the  other,  we  shall  need  ortly  one  of  the  V3  rules. 

Let  us  see  how  this  rule  will  work  on  a typical  ”tide>effectt"  example. 

EXWIPLE  2.  type  a - tBi 

VAR  X.YiAi 

1.  Y ►Xs 

2.  Xt-1: 

3.  YU2s 
EXIT  XT-2. 

This  example  has  a tide  effect  m the  tense  that  instruction  3 mertiont  only  the  value 
Yt  but  alto  charvfes  the  value  XT. 

If  the  exit  It  true  after  3,  then  by  (V3lb.  <P*B,cY3ji>cX3  • 2 must  be  true 
before  3.  By  (V3la,  <'P*B,cX'3,l>,cY3,2>cX^*2  must  hold  before  2.  But  now  the 
simple  assignment  rule  for  variables,  fPtXHYeXjPiY),  tells  us  that 
«PaB,cX34P|<^X3,2>cX3*2  hat  to  hold  on  entry.  This  it  easily  teen  to  reduce  to 
2-2  by  SEM3. 


2.6  Storage  Allocation. 

A reference  clast  it  indefinitely  extendible  by  the  Pascal  allocation  operation, 
NEW(X).  The  intuitive  meaning  of  NEW(X)  it  that  a memory  cell  which  has  not 
previously  occurred  in  the  computation  it  appended  to  the  .ference  class  P*name2, 
and  the  value  of  X it  changed  to  that  X "points  to"  this  new  cell.  The  value  of  XT  it 
undeHned.  It  it  assumed  that  such  a new  cell  always  exists.  This  semantics  it  defined 
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by  m««ni  of  memory  functiont  in  iHoarr  & Virih]. 

Our  asifrtiont  mutt  bf  abl«  to  represent  tuch  oxt^ntiont,  to  we  introduce  the 
notation  Pariame2U{X'}  to  repreten.  the  refeience  clatt  of  X extended  by  the 
operation  NEV(X),  where  X*  it  a "n*. *'  identifier.  More  lenerally,  DU{X”}  repretents 
an  extention  of  the  clatt  represented  by  D.  We  refer  to  “U"  at  the  extention 
operation  on  data  ttructuret.  We  now  have  to  tee  if  thit  addition  to  the  attertion 
lancuafe  it  tufficient  to  permit  the  definition  of  a proof  rule  for  allocation. 

The  problem  facinc  ut  here  it  to  define  a temantic  proof  rule  which  ttatet  how 
an  arbitrary  attention  about  a computation  ttate  it  affected  by  allocation.  Our  rule 
mutt  exprett  both  of  the  effectt  of  NEW(X),  namely  the  extention  of  the  reference 
clatt  and  the  "newnett"  of  X.  Let  ut  ditcutt  thete  two  atpectt  teperately. 

Firtt,  tuppote  a reference  clatt  hat  a reprete.station  of  the  form,  <P«T,  cVa,  E>. 
After  NEW(X)  itt  repreientation  will  be  <P»T,  cYs,  E>U{X’)  where  X’  it  an  identifier 
not  occurrirsg  in  any  exprettion  to  far  (i.e.  a new  identifier).  But  the  newnett  of  X' 
clearly  implies  that  <P«TU{X'},  cYa,  E>  alto  repretentt  the  tame  structure.  More 
generally,  we  have: 

SEM4  If  <03|C>  repretentt  a reference  cl*  ''d  X’  it  a new 
identifier,  then  <D,S,E>U{X’}  and  <C  \ S,L  represent  the 
tame  reference  clatt. 

So  a firtt  approximation  to  a backwards  rule  for  allocation,  expretting  only  the 
extension  of  a reference  clatt  (analogous  to  the  backwards  rule  for  assignment)  it: 


Q(P«TU{X*)){NEW(X))0{P.T) 

wherf  X’  it  a n«w  identifirr,  and  P*T  is  th«  namr  of  th«  rof«r«nc« 
clast  of  «l«m«mt  of  (ypt.of  XT,  and  X do«t  not  occur  in  Q. 

Secondly,  how  do«t  an  allocation  NEl'(X)  affect  an  assertion  about  X,  say 
Q(X)?  The  intended  semantics  it  that  X it  liven  a "new"  value  X’  which  it  dittirvet 
from  any  previous  pointer,  and  nothinf  else  in  the  state  it  chanced.  Any  arbitrary 
new  value  X*  may  be  allocated  to  X.  l|norin|  the  ettention  of  PeT,  these  properties 
are  eipretted  by  the  foilowinc  backwards  rule; 

AlYitSET.OF  P.TMX*-Yi)30(X’){NEV(X))0(X) 
where  X’  it  a rtew  identifier,  artd  SET_OF  P«T  it  the  set  of 
all  pointer  expressions  of  type.of  X that  do  not  contain  X’. 

This  rule  states  that  if  Q(X)  it  to  be  true  after  NEW(X),  then  QfX’)  must  be 
true  of  any  "new"  X’  before. 

We  may  combine  the  two  rules  above  at  follows. 

NEWB.  a(Yi<SET_OF  P.TKX>Yi)3QlpIyy,^.,  |J.{NEW(X»}Q 

where  P«T  it  the  name  of  the  reference  clast  of  elements  of 
type.of  XT,  X'  is  a new  identifier,  and  SET.OF  P»T  it  the  set  of 
all  pointer  expressions  of  type.of  X that  do  not  contain  X’. 

This  rule  assumes  the  axioms  SEM4.  In  addition  we  have  further 
aviomatic  proportiot  of  the  extorttion  operation: 


- IS  - 


SEM5.  DU(Y)cXa  • DcXa  if  XkV,  and  is  und«fmH  if  X-Y, 

D IS  a rv^resmtaiion  of  a reference  class. 

tv  cannot  impUmmt  NE»  B as  il  stands  because  SET.OF  P»T  is  too  larce. 
The  verification  rule  for  NEt  in  Section  3 is  weaker  but  can  be  strenfthened  by 
additional  aiioms  from  the  user. 


2."  Sequences  of  selectors. 

So  far  we  have  dealt  with  atttfnments  in  which  the  left  side  contains  only  or.e 
selector  operation  Pascal  allows  sequences  of  selector  operations,  t e have  to  extend 
the  assertion  larvfuaie  still  further  by  introducinf  sequences  of  selectors  in  order  to 
^be  data  structure  chances  made  by  such  astiinments. 

For  example,  consider  XT.FT.C.  This  is  a selector  sequence  that  would  be 
appl.cable  to  a list  of  records  where  the  F field  of  each  record  was  a pointer  to  the 
next  record  in  the  list.  We  can  compute  the  representation  at  follows.  P-NcXo 
represents  XT;  P.NcXdF  represents  XT.F  which  is  another  pointer;  so 
PeNcP.NcXa.F3  represents  XT.FT  and  the  representaton  of  the  entire  sequence 
above  it  P.NcP.NcX'a.Fa.C.  This  it  a sequence  of  the  form  P.NcZa.C  where  Z is 
not  a simple  pointer  variable,  but  it  a representation  of  a data  structure  of  type 
pointer.  So  our  selectors  will  not  be  as  simple  at  before. 

Simultaneously,  the  set  of  rewrite  expressions  that  will  now  be  used  to 
represent  data  structures  within  the  assertion  lanfuace  mutt  alto  be  extended.  Thus, 
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ih*  chan|«  to  lh«  r«r«renc«  class  f«N  that  occurs  when  Xt.FTX/**E  is  executed  can  be 
represented  by  the  rewrite,  <P«N,  cp.NcX3.F3.C,  E>.  As  we  see  from  this  example, 
the  syntax  of  rewrites  must  be  extended  to  permit  representations  of  the  form 
<X,S,E>  where  S is  a selector  sequence. 

It  should  be  noted  that  the  rule  for  assignment  with  a single  selector  on  the 
left  is  not  sufficient  to  express  the  general  assignment  even  if  we  introduce  dummy 
program  variables.  For  example,  we  could  try  to  rewrite  XT.FT.C  *-E  as 
V»-Xt.Ft;YjC*'L  However,  in  the  second  case,  E it  placed  in  the  C field  of  a new  copy 
of  XT.Ft,  whereat  in  the  first  cate  E is  placed  directly  into  the  original  record. 
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3.  PROOF  RULES  FOR  OPERATIONS  ON  DATA  STRUCTURES. 

In  ih'i  section  we  define  proof  rules  for  assicnment  siaiements  with 
expressions  involvmi  data  structure  selectors  in  the  most  leneral  case.  The  rule  for 
assiinment  presented  here  can  be  retarded  as  definint  the  semantics  of  assignment.  In 
the  case  of  dereferenced  pointers  it  fills  in  a tap  in  the  axiomatic  semantics  of  Pascal 
assitnment  in  [Hoare  & Wirth).  We  shall  also  present  a rule  for  storate  allocation 
which  IS  not  complete  in  any  reasonable  tense,  but  which  represents  a compromise 
between  a lofcally  complete  rule  and  what  is  computationally  feasible  for  automatint 
proofs.  It  can  be  extended  by  the  user  to  handle  any  particular  problem. 

First,  we  must  define  the  extensions  of  the  standard  assertion  lantuate 
(c.f.(ILL]  section  2)  that  have  been  introduced  expressly  for  the  purpose  of  making 
statements  about  complex  data  structures  (i.e.  structures  containinf  identifiable 
substructures). 


3.1  New  Assertion  Lartfuafe  Primitives 

Notation:  We  will  use  • to  denote  concatenation. 

4 denotes  the  empty  sequence. 

Complex  data  structures  are  represented  by  Assertion  Lan(ua(e  expressions  of 
the  form  <A,I,E>  and  A»J  where  A and  E are  themselves  data  structure 
representations,  and  I and  J are  sequences  of  applicable  selectors.  Intuitively,  <A,I,E> 
*he  structure  obtained  from  A by  replacinj  the  substructure  of  A 
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sfl«cied  by  I,  wjih  E".  A*J  repments  “the  tubsir«Kiur«  of  A srlfci«d  by  J".  This 
notation  irnrralizes  th«  notation  for  arrays  us#d  by  «arli«r  writers  ([McCarthy], 
[Kinf],  [Hoar?  Virth]).  We  will  first  define  the  syntax  of  the  representations. 

Terminoloiy:  A TVPE-NAME  is  any  identifier  introduced  as  the  name  of  a 
type  by  a Pascal  type  declaration. 

DEFINITION  (reference  class  identifier) 

For  each  pointer  type  declaration,  TYPE  T*TT6;  where  TO  is  a 
type  identifier,  we  introduce  a reference  class  identifier 
P«T0  for  the  reference  class  of  TO. 

Intuitively,  PaTO  represents  an  unbounded  set  of  data  structures  of  type  TO  that 
pointer  variables  of  type  T may  refer  to.  These  sets  are  called  reference  classes. 
They  are  not  types  in  Pascal  (althou|h  the  syntax  for  reference  class  appears  in  the 
early  version  of  the  Pascal  specification  [Wirth  ]).  They  are  assertion  lancuage 
primitives  and  behave  very  much  like  unbounded  arrays;  their  semantics  are  defined 
by  axioms  in  Section  3JI. 

DEFINITION  (types) 

i)  INTEGER,  REAL,  and  BOOLEAN  are  types. 

ii)  If  T,  TO,  -.  ,Tn  are  types  and  FO,  ,Fn  are  identifiers 
(field  identifiers)  then 

ARRAY[K.L)OF  T, 

RECORD  F0;T0;  F1;T1;  -. ; Fn:Tn  END, 
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tT,  arxi 
P-T 

arc  ty^. 

iii)Th»y  arf  ih#  only  typ«. 


In  lh«  definitions  below  we  use  the  following  notation: 
D,D'--  data  structure  representations, 

C --  a reference  class  representation, 

E --  a Pascal  expression  , 

I --  an  inteter  type  data  structure  representation, 
N — a type  name, 

Y — a pointer  type  variable, 

X— a pointer  type  data  structure  representation, 
F— a field  identifier, 

S—  a selector  sequence, 

DEFINITION  (selector  sequences) 

S 4 I II)«S  I cX^tS  | .FtS 

DEFINITION  (S  is  applicable  to  D) 

S is  empty, 
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D is  of  type  ARRAY[K.L]  and  $•[!]•$'  and  Kc|cL  and  S’  is  applicabU  to  D[l], 

D is  of  type  RECORD  and  S'.FtS*  and  F is  a field  of  0 and  S'  is  applicable  to  D.F, 
D is  of  type  REFERENCE  CLASS  of  N,  and  S-cX=«S’  | 

and  X is  of  type  TN  and  S’  is  applicable  to  DeXs. 


DEFINITION 

(a)  (reference  class  data  structure  representations) 

C P.N  I ai{Y)  | <C^,D> 


(b)  (data  structure  representations) 

D E I C I <D^,D’>  I DtS 

subject  to  the  restrictions: 

(i)  S is  applicable  to  C and  D. 

(ii)  In  <C,S,D>  and  <D^,D’>, 

type_of(C»S)*type.of(D)  and  type_of(D*S)*type_of(D’). 


This  completes  the  definition  of  the  syntax  of  data  structure  representations. 
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3^  Axiomt  for  dau  tiruciur«  rf^rerentationt. 


Ah  1 . 

0*^  - 0 

Ah  2. 

<0  , d ■ F>  > E. 

Ah  3. 

<0  . (I'eL  . E>UleX  • 

if  1 . J then  <0111  . L . 

E>*<  else  OelJleX. 

Ah  4. 

<0  , .Fe<.  , £>e.Ce<  • 

if  F • C then  <0e.F  , L . 

E>eX  else  Oe.CeX. 

Ah  5. 

<0  , cX->eL  . E>ecV3eX  • 

if  X • Y then  <DecXa  . L 

. E>eX  else  OecY^. 

Ah  6. 

<0  , L , DeL>  • 0. 

Ah  7. 

«0  . (lleL  . V>  . Ule<  . U>  . 

if  1 • J then  <0  . Ill  . 

<<0eIII  . L , V>  , X 

else  <<0  . iJleX 

. U>  . lIleL  . V>. 

Ah  8. 

<<0  , .FeC  , V>  , ,Ce<  . U>  • 

i f F • C then  <C  , .F  . < 

<De.F  , L , V>  . X , 

else  <<0  . .C»X  , 

U»  , .FeL  . V>. 

Ah  9. 

<<0  , cX>eL  . V>  . cY>e<  . U>  • 

i f X • Y then  <0  . cX.  , 

«0ecY3  . L . V>  , X 

else  <<0  . 

. U>  . cX>eL  . V>, 

Ah  10. 

OulXlecY^eX  • 

if  X • Y then  Undefined  else  OecYdeX. 

Ah  11. 

1 f X • Y then 

<0  . . E>olYI  . <0oJYI  . cXdoL  . E> 

ExcnpUi 


Wo  illutiiiio  how  proprrt'm  of  data  structure  representations  can  be  proved 
usirsf  these  am  ns. 

1)  i'»j3«A^ai>jju>(i]«i 

This  statement  says  that  after  astifninf  1 ic  the  l-th  element  and  2 to  the 
J-th  element  , the  value  of  the  l-th  element  is  1 if  I^J. 

Usirsf  Ak  3,  the  statement  it  reduced  to 

!•>]  3 <AilU>tl)'l. 

Then  utirtf  Ax  3 again,  it  becomes 

I»»J  3 1-1. 
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2)  «AilUU>iK],l>nXL] 

• if  K»1  ihfn 

(if  L-J  ihrn  2 t\t*  A[IXU)  «\tt  B[iXLl 
Applyinf  Ax  3 to  th*  Uft'hand  tido  of  the  equation  reduce*  it  to 
if  !(•!  thert 

«Aiixju>taM>iu  file  <Ajixju>[ixu 

Applymi  Ax  2 to  the  then*part  and  Ax  3 to  the  e(te*part,  we  get 
if  K-l  then  B[L]  efte  <A[lUJU>tU 
This  finally  reduces  by  Ax  3 to 

if  K*l  then  B{L]  else  if  J*L  then  2 else  A[lXtl 
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Akiorii  for  attt|nmen(  and  tloraie  allocation. 


Rult  l(lntro<lueit0n  e/  Rtftrmct  Cits:  Idtntiflrrs) 

In  all  Boolean  formulas,  all  dereferenced  pointers,  XT  , are  replaced  by 
PbTcXs  where  type_of(XHTT. 

Examples: 

Xt  •*  PMJcXs  aeeuoing  type  ofCX)«T. 

Xt.F  ^ FJTTcXa.F 
A(X'.F)  - AlPfTcXp.F) 

Xt.Ft.C  P^ScPtTcXp.Fp.C  aetuolng  type.et (Xt.F)«S. 

Note  that  the  introduction 
•uet  taA#  place  troo  Inside  out. 

Th#  reference  clast  introduction  rule  can  be  formally  defined  by  the  followirtf 
function  ar.  ( ar  stands  for  actual  representation. ) 

ar(V)  • V ; if  V is  a simple  variable 
ar(A[l])*  arlAKard)] ; 
ar(R.F)  • arlRKF  ; 

ar(ZT)  • PeTcar(Z)3  ; where  type_of(ZT)«T. 

Ru/e  2(Ctnrra/  ruit  Jof  ctsignmnl) 

^l<»rn(V),*rslV).E>  ( V «•  £ } P 

where  arn(V)  it  the  name  part  of  the  actual  representation  of  V and  ars(V)  it  the 
selector  sequence  part  of  V.  Thus,  ar(V)  • arn(V)«art(V). 
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can  d*fin«  arn^V)  and  ari(V)  formally  at  follows. 


arn(V)  • V ; if  V it  a timpi*  variabit 
arrv(A[l]y*  arn(A) ; 
arn(F.F) • arn(F) ; 

arn(ZT)  • P.T  ; whoro  iy^.of(Zt)-T. 

art(V)  • # ; 
art(A[l]l*  art(A)«{ar(l)} ; 
art(R.F)  • art(R)«.F  ; 
art(/.t)  • car(/.)3  . 

Rulo  2 rodueot  in  timpio  cam  lo  rules  in  [Hoar*  & Wirib]: 

1)  Simple  variable  V. 

In  ihis  case  arnfV)  • V and  ars(V)  • 4 
So  (he  rule  becomes 

f'"E)  '■ 

However,  from  A«  2,  <V,d,E>  • E.  Thus,  we  obtain  (he  orifinal  rule. 

2)  Simple  array  V»A[ll. 

arnfVhA  and  arsfVKll  So  (ho  simple  array  assifnment  rule  is  obtained 
from  the  feneral  rule. 

'l^.m.E>  IMD'E)  r 

3)  Simple  record  V«R.F 
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Th#n  ariv(V)*R  and  ars(VKF.  So  tho  timplo  record  attifnmont  rule  is 
obtained  from  the  fenerat  rule. 

UF»E1  f. 

Rut*  )XStoTtgt  *lloc*Ucn) 

aV»X'  = 0IpJI„,*  ||5.  (n.»(X))  0 

vir 

where  tvpe_of(X)»TT.  X’  Is  a newly  created  variable  which  does  not  appear  anywhere, 
and  F is  the  set  of  variables  of  Q whose  types  are  TT. 

The  allocation  rule  NEWB  (Section  16)  cannot  be  derived  from  Rule  3.  NEWB  is  not 
suitable  for  implementation  because  of  the  potentially  large  number  of  terms  in  the 
SET.OF  P«T  each  of  which  contributes  an  inequality  in  the  premiss.  This  leads  to 
very  large  Verification  Conditions  with  large  numbers  of  irrelevent  inequalities.  The 
set  F ,n  Rule  3 is  a "first  approximation"  to  SET.OF  P«T.  The  union  notation  for 
the  extension  of  the  reference  class  ®«T  permits  the  user  to  add  documentation 
statements  which  have  the  effect  of  adding  extra  assumptions  to  the  premiss. 

For  example,  suppose  we  introduce  a predicate  NOTEQUAUC,D,D’)  satisfyinf: 

I.  NOTEOUAL(C,E,F)^E^F  for  all  reference  classes  C and  terms  E and  F, 

II.  NOTEOUAL(P«TU{X’},Yt5,X’)  for  all  variables  Y and  selector  sequences  S, 

X'  being  the  newly  created  variable, 
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lii.  NOTEQUAL(P.TU{X*),Y,X*)  for  all  virubl«  V diff^reri  from  X’. 

Th^n  will  bo  *Wo  lo  ^rovo  TRUE  {NEW(Z)}  Z^XT.CDR  . Thit  is  noi 
provabl#  usinf  Rule  3 atono  alihou(h  ii  it  a conto^uofice  of  NEVR. 


4.  EXAMPLES. 


Th*  txttntiont  to  th*  ass*rtion  Unfutfo  and  proof  ru4«  dofin«d  in  Soction  3 
hav*  boon  imflomontod  in  tho  Stanford  Pascal  vorlfiof.  TH#  vorifior  alto  usos  aiciomt 
Axl-Ax6  (Soction  3.2)  to  simplify  VC's. 

Sonio  oxamft#  «'orificationt  of  proframt  with  pointor  typo  paramotort  aro  fivon 
bolow.  Dotailt  of  tho  vorifior  and  studios  of  other  applications  can  bo  found  in 
(Sutuki  a>],  [v.Horvko  A Luckham},  and  [Luckham  A Sutuki].  In  particular  a 
mothodology  for  vorifyinf  programs  with  this  sort  of  vorifior  it  outlinod  In  [v.Honko 
A Luckham]. 


4i  Sido  offoett  in  pointor  data  structuros. 


Exampto  1. 


type  linear-record  VALiINTECERi  NEXTitLINEAR  ENOi 

VAR  U.X.Y.ZitLINEARi 

BEGIN 

NEU(UI|NEU(X)|NEU(YhNEU(Z)| 

Ut.VAL  I-  li 
Ut.NEXT  I-  X| 

Xt.VAL  I-  2i 
Xt.NEXT  I-  Y| 

Yt.VAL  I-  3i 
Yt.NEXT  I.  Zi 
Zt.VAL  I-  A| 

(At  thi»  point  thop#  ie  a four  coll  I ir>o»p  Hat.  Fig.  II 
Xt.NEXT  1-  Zi 

(Now.  Yt  hot  boon  cut  out  of  the  lintar  lift.  Fio.21 

ASSERT  Ut.NEXTt.NEXTt.VAL-4 

END. 
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f 6-2 


Fi(,  2 shows  iho  final  s(a(o  of  (h«  r^frrrnco  cUtt  P«UNEAR.  Th«  only  operation 
involvint  'I T.NEXTTJ'IEXTT.VAL  assiins  3 to  the  cell  That  cell  it  then  "short 
circuited"  out  of  the  list  by  an  operation  that  does  not  explicitly  mention  it. 

The  result  of  fivinc  example  1 to  the  veniic.  is  a sinfle  VC;  before  simplification  it 
looks  like  this' 
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FOR  riAlU  PROCRAT, 

T^€fle  ARE  I VERIFICATION  CONOITIONS 


» I 

(-vea-zea  i 
-xea-zoa  4 
-uee-Z88  4 
-uaa-Yaa  4 
-xe€-y88  4 

-i^8-X88  4 
TRUE 

<««<«P»LINeARulU8aiu(xa8»u»V88lu«Z8ei.cW8e3.VAi..l>.cue83.NE''T  .??> 
cx8a3.vAL.2>.cx8a3.NexT.Y8e>.cvea3.vA,.3>.cvaa3.*€>T.zaa».czaa3.-A.  . 
cx8a3.MExT.za3>c««<«<pr^is£Afiucaa(u(KaaiuiYeaiuizaei .c-aa?. * .. . • 

cU0a^.^€XT.X88>.cKa^^.VA..2>.cX^^^.^«YT.v^^».cV^^:.VA..3».cr|V~ 
cZoa3.vAL.4>.c>0a3.f^xT.zaa>c««<«<«<3ff.if€AFu  ~aa  Maai  »tv 
cwa03.vAi..i>.cuaa3,fjE^T.xaa>.c‘8a3.vAL.2>.c>:ao3.M>t.  .a  , .. 

cY803,f€KT.Z0e>.cZ0a3.vAL.^>.cxaa5.NexT.2ea>cwe€3.*#£xT3.r#t<T3. 

AFTER  SOne  SinPLiFICATION.  YOU  CAN  GET 


M I 

TRUE 

TinE:  21  CPU  SECS.  54  REA^  SECS 


The  uniim^Iified  VC  h«i  ihe  form  Q-»(DtS»4)  where  D repreienti  all  ih^  rhani*- 
made  lo  P-LINEAF  (in  order),  and  S lelecri  WTJ(EXTTJ«EXTT.V  AL  (CirarU  u «vu. 
be  nice  to  have  a picture  of  D luch  at  Fi|.  2!)  Variables  X08,  V#0,  pic.  and  ti 
inequalities  between  them  result  from  the  allocation  rule 


In  this  example  the  simplification  axioms  (Section  3*)  reduce  ihe  VC  compl**i»’ 
IRUE  arid  no  additional  information  it  required  of  the  user. 


r 


4^  Verification  Bates 

Verifications  normailv  depend  on  user*supplied  lemmas.  The  verifier  uses  these 
lemmas  to  siniplifs  and  prove  VC’s.  If  all  VC's  are  reduced  to  TRUE  this  means  that 
there  IS  a proof  that  the  profram  satisfies  its  ENTRY/EXIT  specifications  assuminc 
the  lemmas.  The  set  of  lemmas  is  called  a 6\SiS  of  the  verification.  A basis  is  not 
necessarilv  a complete  aviomatitation  of  piven  procramminc  concepts  but  need  be 
only  a set  of  lemmas  provable  from  such  ar.  amomatitation.  Indeed,  the  verifier  can 
be  vievted  as  an  instrument  for  searchm;  (or  reasonable  sets  of  assumptions  that 
imply  the  consistencv  of  a program  with  its  specifications  Methods  for  constructing 
and  anaivsinc  basej  are  described  in  [v.HenIe  Luclham}. 

Lemmas  are  stated  <n  simple  lofical  forms  called  AXIOMS  and  GOA’.b.  The\ 
contain  information  about  hot*  they  «re  to  be  used  in  proof  searches;  this  need  not 
concern  us  here.  To  read  the  lemmas  as  locical  statements,  simply  ipnore  all  ”0"  sijns 
in  the  esamples.  Then  a lemma  of  the  form  AXIOM  A**E  is  the  lofical  equivalence 
A“*B,  and  GOAL  A SLP  E is  the  implication  B-*A 

The  folloMinc  eijmples  deal  »*ith  verifyiryf  that  profrans  maintain  the 
loopfreeness  of  the  list  structures  .hey  opfraie  ori.  The  examples  also  show  (a)  the 
use  of  the  extended  assertion  lancuape  to  evpieis  concepts  such  as  loopfreeness  of 
lists,  and  (b)  the  cLaraciemalion  of  corKrpis  by  lemmas  in  the  basis. 


4j  Reachabiliiv  in  Linear  Lists. 


We  Wish  to  verify  the  loopfreeness  of  linear  lists,  in  which  each  cell  has  one 


pointer  field,  (he  NEXT  field,  which  points  to  the  next  cell  in  (he  list.  One  way  to 
approach  this  problem  is  to  introduce  a predicate  Reach(D,X,Y),  where  D is  a 
reference  class  representation  of  type  reference  class  of  T,  and  X,Y  are  both  pointer 
variables  of  type  TT.  REACH(D,X,Y)  means  that  the  sequence  X,  XT.NEXT, 
.\t.NEXTt.NEXT,M.  in  the  reference  class  D contains  (or  reaches)  Y.  This  implies  (hat 
(he  list  structure  between  X and  Y in  D is  loopfree  under  the  NEXT  operation. 
Notice  that  NEXT  ou|ht  to  be  an  explicit  parameter  of  REACH,  but  sincfr  we  are 
assumint  that  our  list  structure  have  only  one  NEXT  field,  we  have  omitt.'d  it. 

Example  2 is  the  insertion  f an  element  into  the  middle  of  a linear  list.  Vie 
verify  that  Reach(D,ROOT,SENTINEL)  is  still  preserved  after  the  insertion,  ROOT 
and  SENTINEL  beint  pointers  to  the  befinninc  and  end  of  the  list 
bENTINELT.NEXT'NILL  means  that  SENTINEL  points  to  the  last  element  of  the  list. 

Example  2. 

entry  REACH(PrJ0R0.R00T.S£Hl|N£L)/v  iVeSENT|NEL)A(S£NTIMELt.NEXT.NILL) a 
REACH  (PifUORO.  ROOT , Y)  aREACH  (PPUORO.  Y,  SENTINELh 

EXIT  REACH (PPUORO, ROOT. SENTINEL) I 

type  ref  -tUOROj 

TYPE  UOHO  - fCCORO  COUNTi  INTE(^Rs  )«XTi  R£F  ENOi 
VAR  Y.Z.ROOT.SENTINELiREF; 

BEGIN 

)€U(Z); 

Zt.NEXT^YT.NEXT; 

YT.)€XT*Z» 

END  .1 
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Th«  t«(  of  lemmas  in  lh«  foaifiie  below  it  a Basis  for  verifyinf  example  2.  We 
do  not  claim  that  it  it  a complete  characterisation  of  REACH(D,X,Y),  but  merely 
that  each  of  the  lemmas  it  an  obvious  property  of  REACH  that  would  be  provable 
liven  a complete  set  of  axioms. 

Thus  Coal  1 states  that  for  W to  be  reachable  from  X in  a reference  class 
resultinf  from  clast  D by  performirvf  YT.NEXT*-Z,  it  it  sufficient  that  REACH(D,X,Y) 
and  REACH(D,7.,W)  and  alto  'REACH{D,7.,Y)  to  ensure  that  no  loop  it  introduced  by 
the  operation.  Clearly  the  truth  of  this  lemma  depends  on  more  atomic  properties  e.|. 
REACH(D,Y,YT.NEXT),  transitivity  (Coal  4),  and  REACH(D,Y,Y)  (from  which 
-REACH(D,7.,Y)  implies  />Y). 

Coal  2 It  a statement  about  a "short  circuit"  operation;  <D,  cZ^.NEXT, 
DcY3.NEXT>  represents  the  reference  clast  that  results  from  D by 
7.T.NEXT-YT.NEXT.  This  excludes  Y from  the  sequence  7.,  7.T.NEXT,  - provided  Y«<7. 
and  Y cannot  be  reached  from  YT.NEXT.  A loop  mifht  however,  be  introduced  into 
the  new  structure  unless  *'REACH(D,Y,7.). 

Coal  3 states  sufficient  conditions  for  Y not  to  be  reachable  from  YT.NEXV. 

Coal  S It  a typical  frame  axiom  for  storafe  allocation.  It  means  that 
reachability  it  not  affected  by  the  allocation  of  a new  cell;  Coals  6 and  7 are  similar. 

Coait  8 and  9 state  conditions  for  Reachability  when  operations  are  performed 
on  a new  cell. 

It  turns  out  that  only  goals  in  proving  the  verification 

condition  below. 
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COALFILE 


Cl:  COAL  REACH(<^.c*Y3.f€XT.#2>.*X,«4J) 

SUB  REACH(O.X.Y)A-R£ACHJO.Z.V)/vfi£ACH(O.Z.U): 

C2;  COa:.  4lEACH(oO  c«Z3.f£XT.#Oc*Y3.NEXT>,  »Z,  *Y) 

SUB  (Z-Y)a  -4l£ACH(D.DcY3.f£XT.Y), 

C3:  COAL  'REACH(«0.*0c«Y3.NEXT.*Y) 

SUB  (NlLL-Oc«S3.f£yT)A  REACH (O.Y.«S): 

C4:  COAL  REACH(«0.«X.*Y) 

SUB  REACH(D.X.«Z)aR£ACH(0.«Z.Y); 

CS:  COAL  REACH(*Ou l«ZI . •X,«Y) 

SUB  REACH(0.x.y|a(Z-x»a(Z-y) j 

G6;  COAL  -R£ACH(*Ou f#Zl . (rDuUZlc*X3.NEXT,#Y) 

SUB  -^EACH(D.DcX3.f£X7.Y), 

C7t  COAL  (•Ou(tZic«S3-MLLI 
SUB  (DcSa-NlLLh 

C8:  COAL  REACH(<tOu (#Z» .c*Z>.NEXT.»U>.«X.«YJ 
sue  REACH(O.X.Y)a(Z-X)a(Z«Y)s 

C9:  COAL  REACH(<«Ou  («ZI  .c*Z3.N£XT.«0u  l•Z»c•Y^.NeXT>,•Z,•U) 
sue  reach(0.y.u)a(z*y){ 


'I  h«  result  of  iivinf  (he  verifier  the  foalfile  and  example  2 it  the  following: 


FOR  THE  MAIN  PROGRAfl 

THERE  ARE  I VERIFICATION  CONDITIONS 

ai 

(-SENTINEL -zee  i 
-ROOT-zee  i 
-Y-zee  i 

REACH  (PmjOfiO. ROOT, SENT  I NED  4 
-Y-SENTINEL  4 

P#WORDcSENTINELd.NEXT-NILL  4 
REACH (PtruDRO.ROOT.Y)  g 
REACH  (PSfUORO.  Y.  SENT  INEU 

REACH  ( «PSfUORDu  (2081 . c2033.  f£XT . P^UQROu  (Z00I  cYd.  NEXT>  , cYd.  NEXT . Z03> . ROOT . 
SENTINEDI 
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AFTER  SOrsE  SinPLlFICATION.  YOU  CAfJ  GET 


tt  1 TRUE 


Notice  that  th^  clan  <>i<prMtion  in  th#  unsimplifi«d  VC  conclusion 

r»*pr^s^nts  the  result  of  esecutint  example  2.  So  this  VC  mijht  itself  be  accepted  as  a 
lemma  about  insertion  operations  in  the  verification  of  more  complex  pro(rams 
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Example  3 illuttratet  what  happens  when  w*  rev«ri«  th«  ord«r  of  instructions 
in  th«  «xamp1t  2.  Th«  program  is  no  ionger  correct  in  that  it  does  introduce  a loop 
into  a loopfree  structure.  The  program  was  run  through  the  verifier  with  the  same 
COALFILE  .hat  was  used  previously. 


Example  3. 


ENTRY  REACH (PKUORD.ROOT. SENT IfCLI A (Y-SENTJfCUA(SENTINSLt.NEXT-NlLL) a 
REACH  (PifUORO.  ROOT . Y)  aREACH  (PIUORO.  Y.  SENT  I Nf  U I 

EXIT  REACH(PjrjORO. ROOT. SENTINEL) I 

type  ref  -tUWTOi 

type  word  . RECORD  COUNT 1 1NT£C£R|  NEXTi  REF  EN0| 

VAR  Y.Z.ROOT.SENTINELiREFi 
BEGIN 

NEUtZli 

Yt.NEXT^Zi 

ZT.NEXT^Yt.NEXTi 

ENO  .1 
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FOR  MAIN  PROCRAn 

T^RE  ARE  1 VERIFICATION  CONDITIONS 

M 1 

(-SENTIMEL-ZM  < 

•<RooT-zed  i 
-Y.Z88  t 

REACHIPAUORO.ROOT.SENTINEU  i 
-Y-SENTINEL  I 

P«UOROcSENTINEL3.NEXT-NILL  i 
REACH (PJfUORO. ROOT. YI  i 
REACH  (PrjORO.  Y.  SENT  INELI 

**R£ACH  ( «PrJOROu  IZ83I . cYd. NEXT . Z88> . cZ883. NEX T . <P<AJOflOo  (Z88I . cY^.  NEX T . Z8- 
8>cY3.ICXT>.ROOT.SCNT|NELn 

AFTER  sort  SIf*>LlFICATION.  YOU  CAN  GET 

M 1 

(»Z88«Y  < 

REACHIPrjORO.ROOT. SENTINEL)  i 
-Y.SENT|)€L  i 

PAUOROcSENTINEL3.NEXT.NILL  i 
REACH (PAUORO. ROOT. Y)  t 
REACH  (PMJORO.Y.  SENT  INELI  i 
-Z88.SENTINEL  I 
-zee.ROOT 

**RE  ACH  ( < <p»uoflOu  izeei . cyo.  next  . zee> . czeaa.  next  . Z88> . root  , sent  i nel  ) ) 


Th«  loof  coniiruciion  c«n  b«  $t*n  by  inalytit  of  iht  reftronct  cUtt  oxprosiion 
in  (h«  conduilon  of  th«  linpliritd  VC  Th«  timplincttion  rttultt  from  Axioms  3.2.  It 
is  now  #isy  to  too  thot  tb«  niul  oporation  roprosomH  is  ZTHEXT*‘Z  which  citarly 
introrfucot  a loop. 
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4.4  Foot  Aft^  Sonttnd  Problem 


Thii  proiram  w*j  tufioited  by  N,  VirtK.  It  oyoratet  on  a linoar  lift.  Each  coll 
of  th«  lilt  has  threo  fiolds:  KEV,  COUNT,  and  NEXT.  KEY  Held  contain!  tho 
irfontificatjon  namo  for  tho  coll,  COUNT  field  contains  tho  ncmbor  of  timos  SEARCH 
IS  called  with  tho  corrosyondinf  KE^,  and  NEXT  field  contains  the  pointer  to  the 
next  cell  in  the  list.  ROOT  points  to  the  firs',  cell  and  SENTINEL  points  to  the  i>ext 
to  the  last  cell.  The  last  cell  a dummy  cell. 


TYPE  REF-tUOROi 

Type  UOflO-RECOftO  ifEYilNTEClRiCOUNTilNTFCERiNEXTiREF  ENOi 
VAR  Ki |NTEC£R| 

ROOT.  SENTINELiREFj 

PROCEOWe  SEARCH  IX I INTEGER  I sentinel  I REF  I VAR  RXTiREFIi 

VAR  Ul.U2iREF, 

BEGIN  U1»R00T| 

SENTINELt.XEY^Xi 
IF  Ul-SENTINEL 
BEGIN 

NEUIROOTh 

ROOTt.lfEY^X,  ROOTt.COUNT^l,  ROOTt.NEXT^SENTINELi 

END  ELSE 

IF  Ult.lfEY  -X  THEN  Ult.COUNT^lt.COUNT*!  ELSE 
BEGIN 

REPEAT  U2*Ulj  Ul^U2t.NEXT 
until  Ult.XEY-Xj 
IF  Ul. SENTINEL  TiCN 
BEGIN 

U24T00TJ  NEUIROOT); 

ROOTt.XEYKX,  ROOTt.COUNTWi  R00Tt.NEXT4C 

E»I0  ELSE 
BEGIN 

Ult.COUHT^Ult.COUNTeij 

U2t.NEXT»Ult.NEXT| 

Ult.NEXT^TOOT,  ROOT^Ul 
ENO 
EIO 

ENOi.. 
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In  ot4*t  to  vorify  this  profram  wt  hivo  to  ihow  that  tovorai  proportioa  hold 
Here  aro  torn*  of  th«m.  (1)  Th«  list  ttructur*  it  alwayt  loopfrto  afi^  SENTINEL  it 
roacKaWo  from  ROOT.  (?)  If  a coli  with  th*  givon  KEY  oritti  in  tho  list,  no  now  coll 
it  adlod;  otHorwtto,  eno  colt  it  added  (3)  No  two  KEY'i  9f  colli  in  tho  lilt  aro  tho 
lamo.  (4)  Aftor  oiocution  tho  iiit  it  reordered  to  that  tho  f rtt  coll  hat  tho  tamo  KEY 
at  tho  fivon  KEY  arfumont  of  SEARCH,  and  tho  ordor  »f  tho  othor  colli  it 
tmehanfod  (S)  Only  tho  COUNT  Held  of  tho  coll  with  tho  fivon  KEY  it  incromontod 
ky  1,  and  tho  rott  aro  unchanfod  And  finaiiy  tho  profram  tormtnatot.  Horo  wo  aro 
f»in|  to  thow  a vorirication  that  tho  firtt  two  proportiM  — roachakility  and  non 
doiotion  — hold 


Etampio  4 it  tho  prof  ram  with  attertiont  about  reachability.  Tho  ENTRY  and  EXIT 
attortioni  itato  that  Iropfroonoit  it  maintainod  Tho  only  additional  documontation  it 
an  invariant  'otcrikinf  obvious  proportiot  of  tho  variaklot  in  tho  REPEAT  loop. 
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Evamft*  4. 


PASCAL 

TYPE  REF-tUOROt 

type  UORO-RECORO  KEYjIKTECEHjCOWTiINTECCRjNEXTjREF  ENOi 
VAR  KtlNTECERj 
ROOT.  SENTINELjREFj 

PROCEOURE  SCARCH(XtiNTECCRtSENTiNELtREFtVAR  ROOTiREF)i 
ENTRY  REACH(P*«ORO.ROOT,SENT|NEU/N(S£NTI>CLt.NEXT^ILL)t 
EXIT  REACH(PMORO,(^T,S£NTlNEUt 

VAR  Ul,U2«REFt 
BEGIN  UUROOTt 

SENTINELt.XEY-Xj 
IF  Ul-SENTINEL  T^N 
BEGIN 

NEUIROOTh 

ROOTt.XEY^Xj  flOOTt.COUNT^h  ROOTt,NEXT..SENTINELj 

ENO  ELSE 

IF  Ult.KEY  -X  T^€N  Ult.COUNT^Ult.COUNT^l  ELSE 
BEGIN 

REPEAT  U2-Ult  Ul-U2t.NEXT 
INVARIANT 

REACH  (PMJORO . ROOT . U2 ) /N  (U1  *U2t . NEX  T ) /N  (U2«SENT  I NEU 
PEACH  (PWORO . U1 . SENT  I NELI A (SENT  I NEL  t . KE  Y-X ) A 
(SENTINELt.M-XT^ILL) 

UNTIL  Ult.XEY-Xj 
IF  Ul.SENTINEL  T»€N 
BEGIN 

U24TOOT,  NEUIROOTh 

ROOTf.KEY^Xi  ROOTt.COUNT».ll  ROOTt.NEXT^iC 

ENO  ELSE 
BEGIN 

Ult.COUNT^Ult.COUNT^lj 

U2t.NEXT44lt.NEXT| 

Ult.NEXT.^OOTt  ROOT^l 
ENO 
ENO 

ENOj.t 
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Bdow  IS  a COALFILE  conuimni  a basis  that  is  sufficient  t*  verify  Cxamfle  4 (i.e. 
that  the  yrofram  satisfies  its  documentation).  Comments  ev^aminf  some  of  the  goals 
ayjiear  bet*»een  X signs.  It  turned  out  that  goals  942,  were  not  used  In  this 
verification. 


COALFILE 

Cl  I AXIOn  REACH (eO.oK.eX)  - 7;^; 

C2i  coal  R£ACH(^,#x,ovi 

SU0  R£ACH(D.x.#2»aP£aCh<0.o2.y)j 

C3i  coal  f^ACHieO.oR.oOcoHa.hEXTi  SJ8  R£ACH(0.R.X) i 

C4|  COAL  REACH JoO.oOcoXj. NEXT. oY»  SU6  -iX.Y)APtACH(0.X. Y) j 
XXt.f£XT  )«  oetueen  X ♦no  YX 

C5i  COAL  -(•v.*yl  sue  'leOcXs.xEY  . eDcYs.xEYli 
XKEy  fields  of  distinct  cells  are  distinct* 

C6i  coal  -leu.eOceYa.f^xT)  SUB 
-REACHIO.OcYj.NEXT.U); 

XThis  IS  a special  case  on  if  U is  not  reacnaoie  fro* 

X then  X-.W.X 

C7i  AXIon  REACHUeO.ceXp.XEY.eEs.ev.s:)  - REACHfO. Y.2) ; 

C8i  AXIOfT  REACh(<s0.csX3. COUNT. e€>.eY.e2)  - f^ACHiO, Y.Z) j 

XAXiOnS  7 and  8 state  that  operations  on  tn#  XEY  and  COUNT  fields 
do  not  alter  loopfreenessX 

C9i  COAL  -»EACM(aOuiaX».eX.e2i  SU0  -fX.2li 

C10I  COAL  -^ACH(eOulaX|.e2.eX)  SU0  -(X*2)j 

Clli  COAL  REACH(a0ui#2l.eX.eV) 

SLB  •*(Z»xiA  "(Z^Yi /\R£aCH(0. X. Y) I 

X9-11  define  the  Reachaoi i • t^i  relation  on  newly  allocated  cellsX 

Cl2i  COAL  REACHI<eOule2l.ce2p.NEXT.eOule2)caYp.NEXT>.aZ.aU) 

Sl«  -(2-YiAPEACH(D.Y.Ui| 

C13i  COAL  REACH(<e0.caYp.f€XT.#2>.eX.ewl 

StB  T€ACH(O.X.Y)n-f«ACHIO.Z.YiA«£ACH(O.Z,U); 

X12.13  describe  sufficient  conditions  for  preservation  of 
RaachaOllMy  when  z is  inserted  Oy  operations  eieilar 


- A2 


to  «kO^I«  2t 


C14:  GOAL  REACH(<«0.c«Y3.NEXT.#Z>.#^.#U) 

SUB  R6ACH(D.X.Y)AfleACHt0.V.2l/Nfl£ACH(0.2.U)A-(Y.Z)j 
X14  givtt  tufflcient  conolttont  for  preservation  of  Reachaol I ) ty 
when  cell*  t>etueen  Y trsa  2 are  cut  out  of  the  liatX 

ClSi  COAL  -AEACH(<a0.caY^.^€xT.aZ>.eX.ew) 

RE  ACM  1 0 . X . Y I /vRE  ACH  ID . Y . J ) aRE  ACM  <0 . . 2 ) A-4t£ACH  (0 . Z . U ) A 

■«(Y»U)a~(U»ZI  I 

XIS  atatee  that  If  U It  strictly  oatueen  Y and  2.  and  there  are  no 
loops  oacK  to  u after  2.  then  U cannot  Oe  reached  after  cutting 
out  the  cells  oetueen  Y and  Z.X 

CI6s  COAL  -REACH (eO.eOceXp.fCXT.eY) 

sue  REACH(O.Y.X)AREACH(O.X.eS>A(OceSp.NEXT.HlLLh 

XY  cannot  be  reached  froe  Xt.HEXT  if  X can  be  reached  froe  Y and  there 
are  no  loops  after  X.  Here  S Is  the  end  cell  of  the  list  structure  and 
■ f it  is  reachable  froe  X then  there  are  no  loops  after  X.X 


B«lew  U th«  •rvnouttd  profram  to  provo  iho  tubtot  proporty,  i^o.  tho  colls  9f  tho 
input  l:tt  art  a tubtot  of  thoto  of  tho  output.  Wo  havo  intro^cod  a function 
LIST(X,Y,D)  whtch  tt  dofttiod  if  REACH(0,X,Y)  and  whoto  valuo  is  tho  sot  of  colls 
botwoon  pointors  X and  Y oxclu4inf  YT  in  roforonco  clast  D.  Alto  wo  uto  tho 
prodieato  SUBSET(A,B). 

Exampio  S. 

PASCAL 

TYPE  REF.tUOPOi 

TYPE  UOPO-RECOOO  tTEYi  INTEC^RjCO^T:  INTECERiNEXTiREF  END; 

VAR  Yi INTEGER: 

ROOT,  SENTINELtREFt 

PROCEDURE  SEARCH (X:  INTEGER: SENTINEL: REF:  VAR  R00T:REF)t 
ENTRY  (PMJORO-Ptl  a <R00T.R8I  aREACH  (PAUQRO.ROOT  . SENT  1 NED  a 
(SENTINELt.NEXT.NlLD: 

EXIT  SUBSET  (LIST  (R8.  SENTINEL. Pit. LIST  (ROOT. SENTINEL. PMORO)): 

VAR  U1.U2:REF: 

BEGIN  UUROOT: 

SENTINELt.XEY.X: 

IF  Ul.SENTINEL  T(€N 
BEGIN 

fJEU(ROOT): 

ROOTt.XEY.X;  ROOTt.COLM.l,  RCOTt.MEXT.SENTINEL: 

END  ELSE 

IF  Ult.XEY  .X  then  Ult.COUNT.Ult.COUNT.l  ELSE 
BEGIN 

REPEAT  U2.U1:  Ul.U2t.NEXT 
INVARIANT 

SUBSET  (L I ST  (R0.  SENT  INEL . P0» . L I ST  (ROOT . SENT  1 NEL . PtWORO) ) 

A(SENT|NELt.XEY-X»A(SENTINELt.NEXT.NILD 

aREACH  (PfUORO.  ROOT.  U2l  aREACH  (PfWORO.Ul . SENT  1 NED 

A ( <P0, cSENT I NELs. KEY. X>.PrU0R0) 

a (U1 -U2t . NEXT  I A (U2.SENT  I NED 

UNTIL  Ult.XEY-X: 

IF  UI -sentinel  T(€N 
BEGIN 

U24T00T:  NEUlROOTh 

ROOTt.lCEY.Xi  ROOTt.COUNT-1:  R00Tt.NEXT4T2 

ENO  ELSE 
BEGIN 

Ult.COUNT^JIt.COUNT.l; 

U2t.NEXT.Ult. NEXT: 

Ult.NEXT.R00T:  ROO'^Jl 
ENO 


Thil  COALFILE  to|«th«r  wuh  th«  previous  COALFILE  for  reachability  form  a Basis 
for  verifyinf  Example  S.  The  AXIOMS  here  describe  straightforward  properties  of 
LIST  artd  SUBSET.  UNION  is  the  usual  union  operation  on  sets. 


COALFILE 


1.  AXIOM 

2.  AXIOM 

3.  AXIOM 

4.  AXIOM 


5.  AXIOM 

6.  AXIOM 

7.  axiom 

8.  AXIOM 


9.  AXIOM 

10.  AXIOM 

11.  AXIOM 


LIST(eX.eY,<e0.c*<3.XEY.e2>l  « LIST(X.Y.0)i 
LlST(eX.eY.<e0.c#<D.C0UNT.o2>)  - LISKX.Y.Oli 
IF  (X-2)a(Y.2I  Tf€N  L!ST(eX.eY.e0ule2l)  - LIST(X.Y.O) : 
IF  R£ACH(O.Ra.X)AR£ACH(O.Y.RllA-ftEACH(O.Y,X) 

TI€N  LIST (oRa.eRl, <e0.ceX3.I^XT,eY>) 

- UNION(LIST(R0.OcX3.NexT.O).LlST(Y.Rl.O))t 
IF  R£ACH(D.2.X)a  -REACH(0.X.2I 
THEN  LIST(#X.eY.<e0.ce23.N£XT,e£>)  - LlSTlX.Y.OIt 
LiSTIeR.eR.eO)  » 2ER0i 

UNI0N(e0.2ER0)  - 0: 

UNI0N(LlST(eX,eY.e0). 

UNION(LiST(eR.eX.eOI.LlSTIeY.eS.eOm 
- LiSTtR.S.Oh 

SUBSET  (oX.eX)  - TRUEi 
SUBSET (2ER0.OX)  - TRUE; 

SUBSET (eX.UNIONleY.oXH  . TRUEi 
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